The attack presents a particular threat to small businesses, since many of them outsource their IT to third-party contractors, which leverage RDP to access their networks — the largest business Sophos saw hit by this attack had 120 employees, and most had 30 or fewer.
The researchers found that cybercriminals are using network search engines like Shodan to search for RDP instances open to the Internet, then leveraging NLBrute to launch brute force attacks on RDP — and then logging in and creating several additional administrative accounts.
Once they’ve established persistent access, the attackers download and install low-level system tweaking software, then use that software to reconfigure (or just disable) anti-malware software, backup services, and database services. Then they download and run ransomware.
“Because they’ve used their sysadmin powers to rig the system to be as insecure as they can, they can often use older versions of ransomware, perhaps even variants that other crooks have given up on and that are now floating around the Internet ‘for free,'” Sophos’ Mark Stockley wrote in a blog post detailing the threat.
“In one attack, we saw a folder on the desktop containing four different types of ransomware,” Stockley wrote. “The crooks ran each in turn until one of them worked.”
In response to the threat, Sophos suggests taking the following precautions:
- If you don’t need RDP, make sure it’s turned off
- Consider using a virtual private network (VPN) for connections from outside your network
- Use two-factor authentication (2FA) wherever you can
- Patch early, patch often
- After an attack, check to see what the crooks have changed
- Set a lockout policy to limit password guessing attacks
Another advisable precaution is to back up sensitive data on regular basis — but a recent StorageCraft survey of more than 500 IT decision makers found that 51 percent of respondents said that while they would benefit from more frequent data backup, their existing IT infrastructure doesn’t allow it.
Additionally, 51 percent of respondents said they aren’t confident in their ability to perform instant data recovery in the event of a failure, and 43 percent said they’re struggling with data growth and believe it’s going to get worse.
A separate Intermedia survey of more than 1,000 U.S. office workers found that while 70 percent said their organization regularly communicates about cyber threats and 30 percent said their organization specifically warned of the WannaCry attack, 31 percent admitted they aren’t familiar with ransomware.
Among those that have fallen victim to a ransomware attack at work, 59 percent of employees paid the ransom themselves, and 37 percent said their employers paid.
Surprisingly, that number actually rose among those who were specifically alerted to the WannaCry attack by their employers — 69 percent of those employees paid the ransom themselves.
“Our latest report shows that, even in the face of increasing attacks, there are large gaps in overall awareness of how to handle a ransomware strike,” Intermedia CTO Jonathan Levine said in a statement. “Employees are willing to go to great lengths to try to get data back, including paying ransoms out of their own pockets, even though 19 percent of the time the data isn’t released even after the ransom is paid.”
“As ransomware continues to evolve and become more advanced, organizations of all sizes and types must acknowledge it as a very real threat,” Levine added. “This is especially true for SMBs that may not have the resources, tools or training that larger organizations use to recognize, prevent and protect themselves from such attacks.”